Removing browser hijacks, Virus's and Spyware Page: 1There are a number of different type of programs that could be causing the mayhem on your system. I'll provide steps for removing each type in the order I would follow. At the end will be some steps you can take to prevent this from happening again.

Note: If you are using Spyware Eliminator or any other software from Aluria software stop using the software, you are not being protected. Read the warning at the end of this post.

Removal

1. Uninstall

Open the Add/Remove Programs control panel and read through the list of installed software for anything you don't recognise. If there's anything you don't recognise it's probably best to uninstall it. If you want to find out what it is try http://www.google.com and search for the name. While you're here you may as well uninstall anything you no longer need.

2. MSConfig

Click on Start and then Run. Type msconfig and press Enter. Click on the Startup tab. Here you have a list of all the programs that run when you start Windows. Untick anything you don't recognise. Be aware that some of these things may be required by some other software/hardware you have installed. For a very comprehensive, searchable list of possible startup items check out SysinfoWhen you have made your changes click Ok and restart. When Windows loads a window will pop up reminding you that you have used MSConfig to make changes to your system. Tick the don't remind me box and click Ok. If something has stopped working run MSConfig again and enable it again.

3. System Restore

If you are running Windows ME or XP it's possible that some of the programs you'll be working hard to remove will be hiding in an old System Restore point. Probably the easiest way to remove your old restore points is to turn System Restore off. Open the System control panel and click on the System Restore tab. Tick the box "Turn off System Restore on all devices". Click Ok and reboot your computer. All previous restore points have now been removed. Leave System Restore off for the time being. We'll turn it back on later.

4. Viruses

One of the better options for virus removal is to take the infected drive and install it into another computer with up to date antivirus software. I'm not including details on how to do this as I consider it outside the scope of this 'how to'. If you are not comfortable doing this skip down to the next paragraph. Provided you don't start opening files from the infected drive this will prevent the virus from activating. Some viruses may not be completely removed, or not be removed at all if they are active.

With or without the second computer it's best to scan for viruses with Windows booted into Safe Mode. To enter Safe Mode reboot your computer. After the BIOS has finished checking your RAM, drives and so forth it will hand over to your operating system. For Windows 98 this is the point where you need to hit F8, just before the Windows 98 splash screen is displayed. If you timed it right a menu will show up with a number of different startup options. Select Safe Mode. Windows 2000 and XP both have a prompt to say you can press F8 now to access the menu.

Under Safe Mode Windows will only load the bare minimum it needs to run. This can help prevent viruses from working and make them easier to remove. Because of this your resolution will be set to 640x480 and the number of colours dropped to 16. Do not worry, this is only temporary. It will return to normal when you reboot.

#Note: Safe mode was suggested knowing that this is best for Norton Anti Virus but not all virus scanners work under safe mode. As at 21/7/2004 Trend Micro's PC-Cillin does not work if you have booted into safe mode and are running Windows 2000 or XP. Trend Micro appear to be aware of this problem. Their current fix is to visitTrendMicro and download the Damage Cleanup Engine. There is no mention of this problem on that page and searching for "safe mode" in their Knowledge Base turned up no more relevant info. There are instructions on how to use the Damage Cleanup Engine on that page.

Once in Safe Mode open up your favourite antivirus software. What! you don't have a virus scanner! There are some free scanners out there. One popular free scanner is AVG Anti Virus Free Edition. You can download it from AVG's site here Grisoft Updates for AVG Anti Virus Free Edition are available here Click If, for whatever reason you don't have a virus scanner and don't want to install one some antivirus companies provide a free online scan. Trend Micro Housecall and Symantec Security Response are two such companies.

Before you even think about running a scan update your virus definitions. Depending on your setup you may have to do this before you boot into safe mode. There's no point trying to scan for the latest virus if your definitions are several months out of date. Some antivirus software gives you the option to scan all files rather than just executable files, eg. .exe and .com files. Enable this option. While most viruses are hiding in executables there are some that infect non-executable files. Also, if you have the option, scan inside zip/archive files.#Note: For those of you who use Eset's NOD32 AV software, there is an awesome guide to configuring it properly here

Ok, now you can run the virus scan. All clean? Great, move on to the next step.

Found a virus? Better clean it up first. Depending on the virus your antivirus software may or may not be able to remove it. Follow any removal instructions given by your antivirus software. When you try to remove the virus there are three possible outcomes: 1. Your antivirus software removes the virus and all is good. 2. The virus won't go quietly and infected file may have to be deleted or replaced with a clean copy. 3. Your antivirus software can't remove the virus. In the event of number 3 you may be able to remove it manually or with a removal tool designed to target that specific virus. Removal instructions and removal tools can be found at Symantec. AV Center Search for the virus and see what's available.

Once you have removed any viruses run a second scan to make sure nothing comes up again.

Removing browser hijacks, Virus's and Spyware Page: 25. SmartKiller

SmartKiller is part of a variant of the CoolWebSearch browser hijacker. SmartKiller will try to close various tools that have been designed to remove spyware and adware. All the gory details are here SpywareInfo We will need to check for and remove SmartKiller first. Download Safer Networking and unzip the removal tool. Run the tool and remove SmartKiller.

6. CoolWebSearch

The CoolWebSearch has many variants and isn't always completely removed by the other programs used in this how to. Before attempting to remove CoolWebSearch make sure you have followed the steps in the SmartKiller section above. "The CoolWebSearch Chronicles" has info on all the different variants and a link to CWShredder which will remove CoolWebSearch from your computer. The chronicles can be found here Spyware Chronicles.Download CWShredder, run it and click Fix to remove CoolWebSearch from your computer.

7. Home Search

Another little hijacker that may not be cleaned up properly is Home Search, AKA Home Search Assistant. Home Search uses a random filename which can make it harder to track down. There is a tool avaliable at HS Remove which will remove Home Search.

8. Adware

To remove adware your best bet is Adaware, available here Adaware or spybot S&D available here Spybot Home. Just like a virus checker this will need to be updated. Once updated click on Start. I prefer to use the "Select drivesfolders to scan" mode. Click on select and tick all your drives. Click on Proceed to return to the previous window. Make sure in-depth scanning is enabled. Click on Next to start the scan. When the scan has finished click Next and Adaware will display a list of the items it found. Tick all the items you want to remove, right click will give you the option to select all objects. For info on a specific item right click on it and select Item details. If you want to backup the selected items before you remove them click on the Quarantine button. Click on the Finish button to remove the selected items.

9. Spyware

Grab your self a copy of Spybot Search and Destroy from Spybot Home The latest version of Spybot runs a wizard the first time you open Spybot This wizard will ask you to create a backup of your registry and ask if you want to update as well as a few other options. These are good things. Get the wizard to do them. The wizard will also ask if you want to immunise your computer I'll talk about this later. At the end of the wizard you can read the help file and a tutorial if you want to. Now that you are in Spybot click on Check for problems. Once it's finished a list of all the items it found will be displayed. To get info on an item click on it and drag the arrows in from the right hand side of the window. An information window will open behind the arrows. Just like Adaware select what you want to remove and click Fix selected problems.

Spybot and Adaware both pick up some of the same things but neither picks up everything because they are targeted at different types of programs.

10. System Restore

Now it's time to turn System restore back on. Open the System control panel. Go back into the System Restore tab and untick the box "Turn off System Restore on all devices". A new restore point will be created.

Removing browser hijacks, Virus's and Spyware Page: 311. HijackThis#WARNING: While the other tools are pretty much foolproof, 'HijackThis' is not. Be careful when using it.

1. Close any open web browser or 'My Computer' windows. Start Hijack this (if this is the first time you've opened the program, read the warning and then click Ok to clear the box). Then click the top button in the 'New users quickstart' box: ' 'Do a system scan and save a logfile'.

2. When the logfile opens in notepad, click Edit ---> Select All to select all of the entries found. This should highlight the text in blue. Be sure to copy the text from notepad, not from the Highjackthis page that displays the results of the system scan (shown from behind Notepad).

3. You can copy and paste this into a document or web form for posting to a spyware support forum. I use the forum Spware Forums

Make sure you explain the symptoms and paste the entire Hijackthis logfile into the main window.

4. If you receive instructions that involve using the Hijackthis Fix option, start the program and, in the 'New users quickstart' box, click the 'None of the above, just start the program' button. Click the config button on the page that displays the results of the system scan, and on the main page ensure the default selections are ticked, particularly 'Make backups before fixing items'. Then click the Back button (which is always the only active button in the bottom two boxes on the config page).

Removing browser hijacks, Virus's and Spyware Page: 45. Click the scan button, scroll the list and tick the entries you want to fix and click the 'Fix Checked' button. Read the warning box and, if you still want to go ahead, click Yes to clear the warning box. Click the scan button again to be sure the items you just ticked no longer appear. Reboot your PC, run the HijackThis scan again and repeat this check.

Prevention

As they say prevention is better than cure. Here are a few tips to help prevent spyware, adware, viruses etc... from getting into your computer in the first place.

Change your browser

Ditch Internet Explorer and use something like Mozilla click here or Firefox Firefox They are more secure and come with built in popup blocking and ad blocking via a plugin called Adblock Download Here Older versions of FireFox were not recognised by some plugin installers, eg the Flash installer. If you experience problems installing plugins you may need to use Mozilla or another browser.

Change your E-mail client

Along with Internet Explorer give Outlook it's marching orders. There's a lot of viruses and the like that are written to use Outlook and/or the Windows Address Book. Try something like Thunderbird Thunderbird or Eudora Here

Be alert

Know what you are installing. Some programs come bundled with spyware, adware etc. eg. I'm not sure if this is still the case but the DivX codec used to come with GAIN/Gator adware. Also read any warnings that your browser displays. A program may be attempting to install it's self without your approval.

Stay up to date

Windows Update Need I say more? Ok, maybe I do. If you want to save a whole chunk of downloads you can order the Security Update CD from Microsoft's website. It includes Service Pack 1 for XP as well as a number of updates released after SP1. There is also updates for Windows ME, 2000 Professional, 98SE and 98. Also on the CD is Direct X 9.0b and Windows Media Player 9. The Securtiy Update CD is free. To have a copy sent to you fill out this form on Microsoft's website Here The Security Update CD comes with a second CD as well. On the second disc is a trial version of eTrust EZ Armor, a firewall and anti virus program. Or if you are running XP you can order Service Pack 2 on CD. Fill out this form SP2 Form and Microsoft will send it out to you. Some people have had problems with SP2 but I recommend you install it. If possible install it on a fresh install or better yet create a new XP install CD with SP2 slipstreamed and install from that. A forum search will turn up a number of threads to help with slipstreaming. If you want to stay with Internet Explorer SP2 will also provide popup blocking and help prevent sites installing software without your consent

Block bad programs

Spybot has an option to immunize your computer. This will block spyware before it gets onto your computer. This is aimed at Internet Explorer but can still help. Open Spybot and click on Immunize. A window will come up telling you how many bad products are already blocked. Click on Ok. Use the Immunize button at the top of the window to block these products. You can also enable blocking of bad addresses in Internet Explorer. If enable this option you can choose to block pages silently, display a dialog box when the page is blocked or ask for confirmation before blocking. Adaware has an "Ad-watch" program which can intercept bad programs before they make it onto your computer but you need a licensed version of Adaware.

SpywareBlaster is another product aimed at preventing spyware from installing it's self. I haven't used this program myself so I can't offer any more info. The website is here Spyware Blaster

Another product that works similar to Adaware and Spybot is Pestpatrol. It can scan for and remove spyware, adware and other similar programs. You can download an evaluation copy from the website Here To obtain the full copy, including a years worth of updates, you must purchase it. I have used this program so I can say it's worth the $US39.95. Pestpatrol also offer an online scan for spyware, adware, etc called PestScan. Find it here Petscan

A firewall of some description can be very useful. Especially if you have a permanent connection to the net. A properly configured firewall will prevent unauthorised access to your machine/network while allowing you to browse to your heart's content. There are a few different options available.

A hardware firewall.

You can find these inside routers, broadband modems and similar devices. They tend to be plug and play but can be configured if needed.

A firewall on a separate computer.

This is more for protecting a network. The computers on network would get their net access through a single server with a connection to the outside world. A connection sharer of some sort. There are a couple of different paths you could go down here. Some examples are a dedicated firewall/connection sharing computer. One popular setup for this is Smoothwall, Here Smoothwall is based on Linux and can be configured across the network. A similar approach would be Windows 2000/XP with Internet Connection Sharing. Not everyone's kettle of fish but still a possibility. A firewall for the DIYers would be more along the lines of a Linux box with connections to both your network and the internet. The DIYer would write up a set of rules using something like iptables, IP Tables that would specify what data is allowed in and out. A different option for DIY firewalls is Network Address Translation or NAT. NAT covers connection sharing and firewalls in one. NAT can be easy to set up and just works. A good page for info on setting up NAT can be found at Netfilter

A firewall on your own computer.

Probably the easiest to keep an eye on this would consist of a program you have installed and have running in the background. A popular firewall for this sort of use is Zone Alarm. A free download is available at Zonelabs There is also a Zone Alarm Pro which is more configurable and includes "Powerful Identity & Privacy Protections". A 15 day trial download is available, if you want to use it after that you'll need $US39.95. Windows XP has a built in firewall but it isn't very good to say the least. Currently it is best to use a seperate program. Part of Service Pack 2 is a greatly improved firewall.

Regular virus scans

If you do nothing else regular virus scans are a must. Your antivirus software should be able to schedule scans so you don't have to remember to run them.

Speaking of software Microsoft is working on an anti-spyware program called Windows Defender. It's based on Giant Software's Antispyware and at the moment is currently Beta 2. Early reviews are coming out very favourably for Windows Antispyware and not just for the amount of spyware detected but also for it's look and ease of use. One drawback though is that it will require a subscription fee while other products like Spybot and Adaware are still completely free. If you want to download the beta and check it out it can be found at Microsoft Website

# Warning

Do not use Spyware Eliminator from Aluria Software. Aluria has partnered with spyware company WhenU and removed WhenU's spyware from their spyware definitions. As a result Aluria's products, including Spyware Eliminator, regard WhenU's spyware as safe and will NOT remove it. More info can be found on Slashdot Here